Threat Level: green Handler on Duty: Xavier Mertens

SANS ISC: Kaspersky flags TCPIP.SYS as Malware - SANS Internet Storm Center SANS ISC InfoSec Forums


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
Kaspersky flags TCPIP.SYS as Malware

One of our readers has alerted us to the fact that Kaspersky AV has identified tcpip.sys as malware on his Windows 7 32bit hosts - the file is flagged as "HEUR:Trojan.Win32.Generic"

Fortunately, Microsoft's Windows File Protection feature ( http://support.microsoft.com/kb/222193 ) prevented it from quarantining this critical file, but his end users were all treated to the error message (both from the AV and from the OS I'm guessing)

His version of Kaspersky is the OEM Checkpoint version, but it appears to be a Kaspersky issue, not Checkpoint specific.

Kaspersky has verified ( https://twitter.com/kaspersky/status/393777843341393920 )  that this is resolved in their latest update.  If you're seeing this issue, get your AV to "phone home" for the fix!

 

===============
Rob VandenBrink
Metafore

Rob VandenBrink

458 Posts
ISC Handler
I don't have time to research it at the moment, but didn't tcpip.sys get flagged as malware a few years ago by an AV?
PhilBAR

24 Posts Posts
You would think that by now; Antivirus vendors would have signatures of "known safe files" --- A SHA1 message digests of known system files; both original media, and the updated hashes of files of clean systems before and after every valid combination of Windows updates/patches to the file.

There's really no reason in the world it ought to be possible to have a false positive on TCPIP.SYS; the crypto hash of the legitimate versions of the file should be well-known by now.
Mysid

146 Posts Posts
happen here too
Anonymous
Posts
Hi,

Temporary solution:

1. Do not restart the computer.
2. Restore tcpip.sys from quarantine folder.
3. Create exlusion rule for "C:Windows\System32\drivers\tcpip.sys "
Anonymous
Posts
Kaspersky Lab has released anti-virus databases, which was mistakenly added detection system file tcpip.sys
Anonymous
Posts

Sign Up for Free or Log In to start participating in the conversation!